Detectionmediumexperimental
AWS Key Pair Import Activity
Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
AWScloudtrail
ProductAWS← raw: aws
Servicecloudtrail← raw: cloudtrail
Detection Logic
Detection Logic1 selector
detection:
selection:
eventSource: 'ec2.amazonaws.com'
eventName: 'ImportKeyPair'
condition: selectionFalse Positives
Legitimate administrative actions by authorized users importing keys for valid purposes.
Automated processes for infrastructure setup may trigger this alert.
Verify the user identity, user agent, and source IP address to ensure they are expected.
References
MITRE ATT&CK
Rule Metadata
Rule ID
92f84194-8d9a-4ee0-8699-c30bfac59780
Status
experimental
Level
medium
Type
Detection
Created
Thu Dec 19
Author
Path
rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml
Raw Tags
attack.initial-accessattack.defense-evasionattack.t1078attack.persistenceattack.privilege-escalation